Implementing a WAF

2,458 views

Published on

Presentation @ local Owasp Ireland Chapter on my experiences of implementing a Web Application Firewall

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,458
On SlideShare
0
From Embeds
0
Number of Embeds
16
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Implementing a WAF

  1. 1. TRIALS & TRIBULATIONS OF WAF MARK HILLICK - @MARKOFUThursday 20 May 2010
  2. 2. AWK -F: /ROOT/ {PRINT $5} /ETC/PASSWD Mark HillickThursday 20 May 2010
  3. 3. PHASES Introduction Starting Out Design Test Implementation Post-ImplementationThursday 20 May 2010
  4. 4. INTRODUCTION - WHAT IS A WAF?Thursday 20 May 2010
  5. 5. INTRODUCTION - WAF TODAY? WAF Marketplace Maturing Compliance BooThursday 20 May 2010
  6. 6. INTRODUCTION - WAF TODAY? WAF deployments were initially propelled by PCI ......... but are now increasingly driven by security best practices. Source: Forrester 2010Thursday 20 May 2010
  7. 7. INTRODUCTION - NUMBERS $200 million 20%Thursday 20 May 2010
  8. 8. INTRODUCTION - VENDORS Software/Hardware Commercial/Open SourceThursday 20 May 2010
  9. 9. INTRODUCTION - EH???? WHAT???? XSS XSRF SQL Injection APT Zero Day Click Jacking Cookie/Session HijackingThursday 20 May 2010
  10. 10. INTRODUCTION - COMPETITORS IDS Reverse Proxy IPS Network FW Proxy Secure CodeThursday 20 May 2010
  11. 11. INTRODUCTION - PRE-SALES Know your subject Question, Ask, Query, Demand Plan, Test, Plan, TestThursday 20 May 2010
  12. 12. STARTING OUT - GOALThursday 20 May 2010
  13. 13. STARTING OUT - RESEARCH Research -> knowledge & understandingThursday 20 May 2010
  14. 14. STARTING OUT - SATISTICS 6.5 times more expensive to fix a flaw in development than during design, 15 times more in testing, and 100 times more in development. Source http://2010survey.whitehatimperva.com/Thursday 20 May 2010
  15. 15. STARTING OUT - INTERNAL SELL (1) Technical issues in business language (e.g. just-in- time patching) and a bit ofThursday 20 May 2010
  16. 16. STARTING OUT - INTERNAL SELL (2) Know your costs Advantages over cheaper alternatives!Thursday 20 May 2010
  17. 17. STARTING OUT - INTERNAL SELL (4) There is a disconnect between the acknowledgement of security issues and the willingness to fix them.  Source: The HP Security Laboratory BlogThursday 20 May 2010
  18. 18. STARTING OUT - INTERNAL SELL (4) Do not oversell WAF != unhackableThursday 20 May 2010
  19. 19. STARTING OUT - PLAN (1) I love it when...... Copyright © NBCThursday 20 May 2010
  20. 20. STARTING OUT - PLAN (2) WANTED!!!! Owner/Champion/LoverThursday 20 May 2010
  21. 21. STARTING OUT - PLAN (3)Thursday 20 May 2010
  22. 22. STARTING OUT - PLAN (4) UAT & SDLC Configuration - Delegation? Alerting Incident Response Plan Logging & Analysis ReportingThursday 20 May 2010
  23. 23. TEST - TEST SOURCE: http://www.flickr.com/photos/ kodomut/Thursday 20 May 2010
  24. 24. TEST - SDLC How does it change? When? Who?Thursday 20 May 2010
  25. 25. TEST - OPERATIONAL Not what you want, is it?Thursday 20 May 2010
  26. 26. TEST - FUNCTIONAL Functional Generic Specific SOURCE: http://www.flickr.com/photos/ 54724780@N00/Thursday 20 May 2010
  27. 27. TEST - STRESS STRESS == LEARNING SOURCE: http://www.flickr.com/photos/ 54724780@N00/Thursday 20 May 2010
  28. 28. TEST - THE FUN ‘BIT’ Does it work....... SOURCE: http://nmap.org/movies.html Copyright © Warner Bros.Thursday 20 May 2010
  29. 29. TEST - POLICY Administration Policy Who has access? Delegation? Change Management - different? Incident Response Plan? What is an Incident?Thursday 20 May 2010
  30. 30. IMPLEMENTATION - PLAN Plan B? Copyright © FoxThursday 20 May 2010
  31. 31. IMPLEMENTATION - ALMOST Almost there, don’t cut corners! COMPLETE TESTING FULLY!!!!!Thursday 20 May 2010
  32. 32. IMPLEMENTATION - SET-UP +.ve Security Model Transparent Informational Logging Generic versus Specific Analysis ReportingThursday 20 May 2010
  33. 33. IMPLEMENTATION - READ Check your logs!!!Thursday 20 May 2010
  34. 34. IMPLEMENTATION - HACK External TestingThursday 20 May 2010
  35. 35. IMPLEMENTATION Transparent -> Blocking Generic -> SpecificThursday 20 May 2010
  36. 36. POST-IMPLEMENTATION - WAF Your infrastructure has changed!! Patching, Policy Changes, Application UpgradesThursday 20 May 2010
  37. 37. POST-IMP - STILL, OH YES? SDLC Network Firewall & ACLs Code Analysis Penetration &Vulnerability Testing Incident Response Plan???? -> Incident? What?Thursday 20 May 2010
  38. 38. POST-IMP - TICK TOCK, NO MORE!!Thursday 20 May 2010
  39. 39. POST-IMP - USE IT! NO!!!!!!Thursday 20 May 2010
  40. 40. POST-IMPLEMENTATION - STILL? As someone-else once said!!Thursday 20 May 2010
  41. 41. RESOURCES SANS Reading Room (Scareware via Web App exploit) SANS, Owasp, WebAppSec Web 2.0 -> Blogs, Twitter Vendor SitesThursday 20 May 2010
  42. 42. CONCLUSION - WAF Extra layer of defence but also admin Can be an excellent and effective solution Is it what I need? Only a part of defence-in-depth!!!!Thursday 20 May 2010

×